AustralianSuper six-day delay on cyber scam

AustralianSuper sat on its hands for close to a week after scammers wiped more than $400,000 from a pensioner’s account.

Cliona O'Dowd

Scammers looted more than $400,000 from a retiree’s AustralianSuper account in late March, but the fund took days to contact the relevant bank to see if it could recover any money.

3 min read

6:03PMApril 08, 2025.

Updated 7:47PMApril 08, 2025

The Australian Business Network

AustralianSuper sat on its hands for close to a week after scammers wiped more than $400,000 from a member’s account and funnelled the money through the Commonwealth Bank, only alerting the lender of the fraud six days after the victim raised the alarm.

The super fund’s call centre staff failed to escalate the issue up the ranks when contacted by the member on March 28 and repeatedly refused her requests to speak to fraud specialists in the following days.

The day before the victim alerted the fund to the scam which virtually wiped out her retirement savings, AustralianSuper had detected fraudulent activity on its system. It was six days before it informed Home Affairs it suspected a broader cyber attack.

As revealed on Monday by The Australian, scammers siphoned $406,000 from a 74-year-old Queensland woman’s AustralianSuper account between March 20 and March 27, wiping out 90 per cent of her retirement savings.

Six unauthorised withdrawals were made from her super fund account over the week to five different CBA accounts, believed to be “mule accounts”, with the transactions failing to raise any flags at AustralianSuper despite the scammers repeatedly changing the member’s bank account details, including twice in one day.

The pensioner, who asked to remain anonymous, was only made aware of the fraud when she received two separate letters from AustralianSuper confirming successful withdrawals of $20,000 and $100,000 on March 21 and March 24.

It took two calls from the victim before the fund froze her account. Picture: Supplied

The letters were received on March 28, more than a week after the first lot of money was siphoned from her account.

It took two calls from the victim — hours apart — on March 28 before the fund froze her account, blocking the scammers.

At that stage she believed the criminals had made off with $265,000 of her savings. It was only on April 1 the fund disclosed the true losses.

AustralianSuper alerted regulators and the government to the crime that same week and finally reached out to CBA on April 3. By then the money was long gone.

AustralianSuper could not confirm to The Australian if it ever filed an official fraud report with the bank.

The retiree is one of four victims to have lost a combined $500,000 due to a co-ordinated cyber attack aimed at the nation’s biggest super funds, including AustralianSuper, Australian Retirement Trust, Hostplus and Rest, along with Insignia-owned platform MLC Expand. Construction industry super fund Cbus was targeted in a similar attack days later, with AustralianSuper the only fund to date to confirm member losses. The fund on Monday said it would repay the $500,000 to the four victims out of its operational risk reserve. This reserve is funded by member fees.

There may also be further losses. All up, 600 AustralianSuper accounts were breached, with the fund now combing through each of these to see if any more member money has been taken. The fund expects to complete this investigation by Friday, more than three weeks after the scammers first gained access to member accounts.

AustralianSuper failed to protect its members’ accounts using what is known as multifactor identification — a security standard many of the big banks use and advocate.

This has left the door open for potentially hefty financial penalties from the Australian Prudential Regulation Authority if it is found the super funds’ digital security systems were weak or insufficient.

APRA on Tuesday said it had heightened its oversight of the industry since the cyber attack.

“Supervision has been heightened … with a focus on information sharing and the monitoring and containment of issues,” an APRA spokeswoman said. “Australian superannuation funds and other Australian financial institutions are required to protect members’ funds.”

Consumer Action Law Centre chief executive Stephanie Tonkin said the breach should serve as a wake-up call.

“For a long time the super industry has avoided scrutiny and perhaps that’s a reason they’ve been slow to invest in (security) protections. But, these are major failures and there’s so much wealth now in the super system, the stakes are very high,” she said.